Digital unlocked padlock showing security breach with admin credentials of former employee

CISA: Admin Credentials of a Former Employee Leveraged to Compromise a State Government Organization

The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) discovered that a threat actor compromised a state government organization using a former employee’s leaked admin credentials.

The agencies discovered the breach after the organization’s documents containing host and user information, including metadata, surfaced on a dark web marketplace.

The joint advisory listed common tactics, techniques, and procedures (TTPs) utilized by threat actors to compromise organizations and how to prevent similar incidents.

Former employee’s admin credentials leveraged to breach a state organization

CISA and MS-ISAC investigated the incident and determined that the attacker gained access to an internal virtual private network (VPN) on a virtual machine and accessed a SharePoint server and the employee’s workstation.

“CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection,” the advisory said.

After gaining initial access, they performed reconnaissance, likely using CISA’s open-source tool AdFind.exe, navigated the victim’s on-premises environment, and executed some lightweight directory access protocol (LDAP) queries against a domain controller.

The threat actor then obtained another employee’s admin credentials stored locally on the SharePoint server to authenticate on the Active Directory and Azure AD and obtain administrative privileges.

However, the attacker did not traverse laterally from the on-premises network to the Azure cloud environment, which hosts sensitive systems and data.

“Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems,” the joint advisory stated.

The agencies determined that the threat actor’s motive was financial gain by selling the stolen documents to other cybercriminals. They also concluded that the attacker obtained the admin credentials of a former employee from a previous data breach.

CISA absolved the former employee of any wrongdoing based on the fact that the exploited admin credentials appeared on “publicly available channels containing leaked account information.”

Determining whether the former employee intentionally misused their admin credentials to gain authorized access was necessary to rule out an insider threat scenario.

Meanwhile, the undisclosed breached state organization responded by deactivating the compromised former employee’s admin account and taking the two virtualized servers offline. Additionally, it reset all user credentials and revoked the second user’s administrative account privileges.

“We can only hope that the forced reset of all passwords, a necessity if a domain admin credential is compromised, is just the first step towards better securing their environment and that they implement stronger password policies, MFA for all users, and continuously scan for breached passwords in the future,” said Darren James, senior product manager at Specops Software, an Outpost24 company.

Stronger access controls needed

Notably, neither of the compromised accounts had multi-factor authentication (MFA) enabled, exposing systemic failures within a government organization.

For years, CISA has championed the adoption of multi-factor authentication across sectors, including public and private organizations, Federal Civilian Executive Branch Agencies (FCEB), and State, Local, Tribal, and Territorial (SLTT) branches.

On May 12, 2021, President Joe Biden also issued cybersecurity Executive Order 14028, directing all entities that work with the federal government to adopt zero-trust, including multifactor authentication. Similarly, Jen Easterly, Director of CISA, described zero-trust as a “key element” of the country’s cyber resilience.

The incident also demonstrates that even experienced administrators are not immune from making costly cybersecurity faux pas.

“This is another unfortunate example of how even admins aren’t immune from making the most basic of errors,” James said. “As highlighted in our latest breached password research, many admins are still guilty of using default passwords, reusing passwords across multiple systems, and not enabling MFA. In fact, the top admin password we found on our breached lists was ‘admin.’”

The exploitation of the former employee’s credentials also demonstrated how threat actors could leverage valid accounts to compromise organizations in the absence of proper controls.

“Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations,” CISA stated.

CISA and MS-ISAC noted that unnecessary accounts, software, and services expand the attack surface for threat actors to exploit.

They recommended a “robust and continuous user management” program to ensure that every former employee is properly removed from the network during offboarding and their admin credentials completely purged from the Active Directory.

“Establish policy and procedure for the prompt removal of unnecessary accounts and groups from the enterprise, especially privileged accounts,” CISA and MS-ISAC said. “Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.”

Other recommendations included implementing a robust asset management policy, observing a routine patching cycle, restricting personal devices from corporate networks, evaluating current user permissions, assessing the Azure environment’s security configuration, and evaluating conditional access policies.